Magnus Hagander <magnus@hagander.net> writes:
> On Tue, Jan 29, 2008 at 03:34:19AM -0500, Kris Jurka wrote:
>> Is it possible to authenticate using GSSAPI over the V2 protocol? Is
>> there any documentation on the message formats for V2?
> Honestly - don't know :-) Never looked at that part.
I tried it --- it's easy to hack libpq so that it does V2 instead of V3:
$ diff -c fe-connect.c~ fe-connect.c
*** fe-connect.c~ Mon Jan 28 21:06:30 2008
--- fe-connect.c Tue Feb 5 19:35:34 2008
***************
*** 855,861 **** conn->addrlist = addrs; conn->addr_cur = addrs; conn->addrlist_family =
hint.ai_family;
! conn->pversion = PG_PROTOCOL(3, 0); conn->status = CONNECTION_NEEDED; /*
--- 855,861 ---- conn->addrlist = addrs; conn->addr_cur = addrs; conn->addrlist_family =
hint.ai_family;
! conn->pversion = PG_PROTOCOL(2, 0); conn->status = CONNECTION_NEEDED; /*
$
The answer is "no, it doesn't work":
$ psql -l
psql: GSSAPI continuation error: Invalid token was supplied
GSSAPI continuation error: No error
$
This surprises me; I would have thought the protocol was fairly
orthogonal to the auth method. We should look into it and see
if there's an easy fix or not. I have no time to poke further
right now, though.
regards, tom lane